configure-always-encrypted-enclaves.md

title	description	author	ms.author	ms.reviewer	ms.date	ms.service	ms.subservice	ms.custom	ms.topic
Configure and use Always Encrypted with secure enclaves| Microsoft Docs	Learn how to configure and use Always Encrypted with secure enclaves in SQL Server and Azure SQL Database, which enables richer functionality on sensitive data.	Pietervanhove	pivanho	vanto	11/14/2023	sql	security	ignite-2023	conceptual

Configure and use Always Encrypted with secure enclaves

[!INCLUDE sqlserver2019-windows-only-asdb]

Always Encrypted with secure enclaves extends the existing Always Encrypted feature to enable richer functionality on sensitive data while keeping the data confidential. This article lists common tasks for configuring and using the feature.

For tutorials that show you how to quickly get started with Always Encrypted with secure enclaves, see:

• Getting started using Always Encrypted with secure enclaves

Set up the secure enclave and attestation

Before you can use Always Encrypted with secure enclaves, you need to configure your environment to ensure the secure enclave is available for the database. You might also need to set up enclave attestation, if applicable.

The process for setting up your environment depends on whether you're using [!INCLUDEsql-server-2019] and later or [!INCLUDE ssazure-sqldb].

Set up the secure enclave and attestation in [!INCLUDE ssnoversion-md]

To set up Always Encrypted with secure enclaves without attestation, see:

• Plan for Always Encrypted with secure enclaves in SQL Server without attestation
• Configure the secure enclave in SQL Server

To set up Always Encrypted with secure enclaves and attestation, see:

• Plan for Host Guardian Service attestation
• [Deploy the Host Guardian Service for [!INCLUDE ssnoversion-md]](./always-encrypted-enclaves-host-guardian-service-deploy.md)
• Register computer with the Host Guardian Service
• Configure the secure enclave in SQL Server

Set up the secure enclave and attestation in [!INCLUDE ssazure-sqldb]

For details, see the following articles:

• [Plan for secure enclaves in [!INCLUDE ssazure-sqldb]](/azure/azure-sql/database/always-encrypted-enclaves-plan)
• [Enable Always Encrypted with secure enclaves for your [!INCLUDE ssazure-sqldb]](/azure/azure-sql/database/always-encrypted-enclaves-enable)
• Configure Azure Attestation for your Azure SQL Database logical server

Important

VBS enclaves in Azure SQL Database do not support attestation. Configuring Azure Attestation only applies to Intel SGX enclaves.

Manage keys for Always Encrypted with secure enclaves

• Manage keys for Always Encrypted with secure enclaves - overview
• Provision enclave-enabled keys
• Rotate enclave-enabled keys

Configure columns with Always Encrypted with secure enclaves

• Configure column encryption in-place using Always Encrypted with secure enclaves - overview
• Configure column encryption in-place with Transact-SQL
• Configure column encryption in-place with PowerShell
• Configure column encryption in-place with DAC Package
• Enable Always Encrypted with secure enclaves for existing encrypted columns

Run Transact-SQL statements using secure enclaves

• Run Transact-SQL statements using secure enclaves
• Troubleshoot common issues for Always Encrypted with secure enclaves

Create and use indexes on enclave-enabled columns

• Create and use indexes on columns using Always Encrypted with secure enclaves

Develop applications using Always Encrypted with secure enclaves

• Develop applications using Always Encrypted with secure enclaves

See also

• Getting started using Always Encrypted with secure enclaves